Unless i am missing something, the addition of a "hard-key" would not be any better than a stored password.
If you authorize the machine, or a piece of hardware plugged into the machine does not make a difference. What keeps another process/user/root/admin from requesting the password/authorization from the hard-key? (possibly a password that has to be entered by an admin? and the cycle continues) odiT Just because you're paranoid, doesn't mean that they are not out to get you... -----Original Message----- From: Pablo Sol� [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 04, 2003 2:19 PM To: [EMAIL PROTECTED] Cc: IRCXpro Support Subject: Re: [Full-Disclosure] Re: IRCXpro 1.0 - Clear local and default remote admin passwords > Many programs need a private key for encryption. Possession of this key is usually part if not all of the decision for authentication. > > The only relatively safe way of maintaining this key on disk is to encrypt it and require a decryption password from the user when starting the process. > > Unfortunately, system admins have a beef with servers that restart and require an operator to input a password to get the >services up, especially in production environments. An example of this is when you run a https server with a signed cert and non empty passphrase. You need to put the key everytime you restart the service. IMHO, a solution could be some kind of hard-key (EEPROM connected to the parallel port). pablo. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html Concerned about your privacy? Follow this link to get FREE encrypted email: https://www.hushmail.com/?l=2 Free, ultra-private instant messaging with Hush Messenger https://www.hushmail.com/services.php?subloc=messenger&l=434 Big $$$ to be made with the HushMail Affiliate Program: https://www.hushmail.com/about.php?subloc=affiliate&l=427 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
